Subscribe to our Threatpost Today newsletter

Join thousands of people who receive the latest breaking cybersecurity news every day.

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

*

*

I agree to my personal data being stored and used to receive the newsletter

*

I agree to accept information and occasional commercial offers from Threatpost partners

The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.

Equifax Adds 2.4 Million More People to List of Those Impacted By 2017 Breach

Equifax said that an additional 2.4 million Americans have been impacted by a 2017 data breach, bringing the total of those implicated to around 148 million people.

Equifax said that an additional 2.4 million Americans have had their personal data stolen as part of the company’s massive 2017 data breach, including their names and some of their driver’s license information.

The additional identified victims bring the total of those implicated in what has become the largest data breach of personal information in history to around 148 million people.

The consumer credit reporting agency on Thursday said that as part of an “ongoing analysis” it found that these newly identified victims’ names and partial driver’s license numbers were stolen by attackers. However, unlike the previous 145.5 million people who have been identified to date as impacted by the 2017 breach, the Social Security numbers of these additional victims were not impacted.

Attackers were also unable to reach additional license details for this latest slew of impacted victims – including the state where their licenses were issued and the expiration dates.

“This is not about newly discovered stolen data,” Paulino do Rego Barros, Jr., interim chief executive officer of Equifax, said in a statement. “It’s about sifting through the previously identified stolen data, analyzing other information in our databases that was not taken by the attackers, and making connections that enabled us to identify additional individuals.”

Equifax said the new victims were not previously identified because their Social Security numbers were not stolen together with their driver’s license information.

“The methodology used in the company’s forensic examination of last year’s cybersecurity incident leveraged Social Security Numbers (SSNs) and names as the key data elements to identify who was affected by the cyberattack,” said the company in a statement. “This was in part because forensics experts had determined that the attackers were predominately focused on stealing SSNs.”

Equifax said it will notify the newly identified consumers directly by U.S. Postal mail, “and will offer identity theft protection and credit file monitoring services at no cost to them,” said the company.

The company did not respond to requests for further comment from Threatpost about its current ongoing analysis of the breach.

Ongoing Breach Disclosures

Equifax has been under public scrutiny since September, that’s when it first disclosed the data breach after issuing a statement at the time that cybercriminals had exploited an unnamed “U.S. website application vulnerability to gain access to certain files” from May through July 2017. Equifax said it discovered the breach on July 29. The breach enabled criminals to access sensitive data like social security numbers, birth dates, and license numbers.

Later, during Equifax’s testimony in October before the U.S. House Committee on Energy and Commerce Subcommittee on Digital Commerce and Consumer Protection, it was revealed that Equifax was notified in March that the breach was tied to an unpatched Apache Struts vulnerability, CVE-2017-5638. It was established that while Equifax said it had requested the “applicable personnel responsible” to update the vulnerability it never was fixed.

“It appears that the breach occurred because of both human error and technology failures,” Richard Smith, Equifax CEO at the time, wrote in a testimony that was released at the hearing in October.

Making the breach worse was Equifax’s further botched response to the breach.

After the breach was revealed in September, the company’s site was crushed with traffic from concerned customers that left the site unreachable. In a separate instance in October, the Equifax site came under fire for harboring adware in a third-party partner’s Flash Player download.

The extent and scope of the breach also has been continually expanding since it was first disclosed in September. In October, after an analysis with security company Mandiant, the company said that an additional 2.5 million customers were also impacted on top of the 143 million the company initially said were affected.

This latest slew of impacted customers has renewed anger against the company, with some demanding stricter legislation for data protection – such as the proposed Data Breach Prevention and Compensation Act, which would impose strict security-related fines on credit reporting agencies.

My office is continuing our investigation of #Equifax so we can get to the bottom of how this disastrous data breach happened.

This is unacceptable. The California Department of Justice will continue to get to the bottom of this massive cybersecurity incident. We are committed to holding #Equifax accountable to the fullest extent of the law. https://t.co/fRPrUWcIyg

Equifax, meanwhile, continues to remain under investigation by several federal and state agencies, including a probe by the Consumer Financial Protection Bureau.

Customers can see if their personal information has been breached by clicking on an “Am I Impacted” tool on Equifax’s website. The company also advised consumers to visit its web portal where they can review their account statements and credit reports, identify any unauthorized activity, and protect their personal information from attack.

The company handles data on more than 820 million customers and 91 million businesses worldwide.

Discussion

Equifax data is being used by other companies like
Life-Lock, Leasing Companies, Credit Companies, etc..
So if you do the math 145.5 million US people, 312 million US SSN's, minus the young US people below the age of 20, .... Is there something I'm missing, why are these companies still using Equifax data?

Worst part of this is if you go to equifax's site it has a 90 day fraud alert you can sign up for, guess what they ask for? All of the information they just lost about us. YEAH I really trust giving you all of this data about me a second time for you to just lose again. ridiculous.

When this breach first occurred, I thought people would start getting woke to the fact so many aspects of our lives are developed collectively, mainly through taxes, but also university research grants and as in the instance of the financial apparatus of credit rating which consumers pay for (both again, taxation of sorts) only to be handed over to private industries to maximally profit from with little regard for anything but the best case scenario.
I suggest we all move to Detroit and live off of the land.

Which is worse FaceBook scandal of Equifax breach? Who cares? Why ask who cares? Emphasis from the media getting higher rating over "scandal" than "data breach". Who cares about what's really important? Sadly, it doesn't seem like anyone with the ability to do anything about it. Personally, there should be fines against both companies bases upon the impact of the current laws broken. If they falsified auditing documents, they should be penalized even more. Again, who cares? Only time will tell.

Authors

Threatpost

InfoSec Insider Post

InfoSec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.

Sponsored

Sponsored Post

Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.